How to secure website hosted on AWS with free SSL Certificate from AWS Certificate Manager (ACM)?

1. Introduction

When we have a website that requires user to login or provide any sensitive financial information, how far do our customers trust the website to provide such information?

We have come across so many incidents where the credit card numbers are hacked & misused. Do our customers ever verify if the website they’re planning to make payments at are secured & trust-worthy? How do we make sure the customer feels safe to provide these information on our website?

To get through all these challenges in business, we need to secure our website with HTTPS.

2. What is HTTPS?

HTTP is the networking protocol that enables the client-server communication over the network. HTTPS is the secured version of the HTTP protocol. S stands for Secured.

• HTTPS means the site is safe & secured
• Communication between the browser & the website is encrypted
• Communication between the browser and the website are on SSL (Secure Sockets Layer) Port 443

SSL is a common term when it comes to the security of a website. This is the industry standard to protect websites & its online transactions. Enabling or setting up SSL on our website makes sure the information between the browser and the website is encrypted while transferring over internet.

There are multiple DNS service providers who also provide SSL Certificates for the website’s domain purchased through them.

3. Step by Step Guide

Step 1: Configure the server with a unique IP address.

Step 2: Generate a Certificate Signing Request (CSR) & a private key for the SSL Certificate and give it to a Certificate Authority (CA). Major CA players in the market are GoDaddy, Comodo, Let’s Encrypt, DigiCert, etc., These third party CAs charge a yearly price for the issued SSL Certificates. For example: GoDaddy costs around Rs.549/- for the first year, followed by Rs. 2,400/- per year.

Step 3: Provide appropriate information for the CA to validate your domain.

Step 4: CA issues the SSL Certificate after validation. Activate the certificate.

Step 5: Install the certificate on the server where the website is hosted.

Step 6: Update the website configurations to use HTTPS.

Step 7: The SSL Certificates requires to be renewed. Make a note to renew the certificate before expiration.

Now, If your infrastructure is hosted on AWS Cloud, you can leverage AWS as a Certificate Authority with the service AWS Certificate Manager.

4. Leveraging AWS Certificate Manager:

AWS provides a service to ease the process of provisioning, managing & deploying the SSL/TLS Certificates. These SSL Certificates can be used for the websites hosted using AWS services. ACM also provides the ability to import the SSL Certificates into ACM & use them in the applications.

More than provisioning the SSL Certificate from the third party, the overhead is with uploading, maintaining and renewing the SSL Certificate. With ACM, the management of SSL Certificates is taken care by AWS.

Provisioning of SSL Certificate from the AWS Certificate Manager is just with few clicks following the below steps:

• Provide the domain name of the website or application for which SSL Certificate needs to be provisioned
• Verify the domain name for validation
• Domain owner needs to approve the validation request
• ACM Certificate is provisioned & ready to be used with other AWS services

5. Steps to Provision ACM SSL Certificate:

1. Provide the domain name

2. Domain name validation:

The validation is to confirm if the domain for which we are requesting the certificate is actually owned by the requestor. There are two methods of validation for domain owners, namely:

• DNS Validation
• Email Validation

DNS Validation

i. Choose the validation method as DNS validation to modify & validate the DNS entry of the mentioned domain

ii. Review the details of the domain & click on Confirm and request

If the domain is hosted with Route 53, ACM can directly update the Hosted Zone of the domain with a new record set (CNAME record set). This can be done by clicking on Create Record in Route53 or we can manually update the record set in Route 53.

If the domain is not hosted with Route 53, we need to update the CNAME record of the DNS configuration of our domain.

iii. Click Create, this will create a new record set in the Route 53 Hosted Zone

iv. Check for the Hosted Zone to verify if ACM has created a record set for the certificate

Email Validation

i. Choose validation method as Email Validation, if we do not have permission to update the DNS configuration. This method will send an Email to all the domain owners for validation. Once the domain owners’ approve, AWS ACM issues a SSL Certificate to that particular domain.

ii. After approval of the certificate, ACM Certificate is ready to be used & is displayed in the ACM console

The issued ACM Certificate cannot be directly deployed on the webservers like Apache or Nginx. The ACM Certificates can be deployed on websites which use either of the following services:

• Elastic Load Balancing
• Amazon CloudFront
• AWS CloudFormation
• Amazon API Gateway
• AWS Elastic Beanstalk

6. Limitations of ACM:

• Number of ACM Certificates per AWS Account – 100 {Default limit}
• Number of ACM Certificates per year – twice the account limit
• Number of domain names per ACM Certificate – 10
• Number of imported certificates per AWS Account – 100

7. Advantages of ACM:

• Managed Renewal: AWS manages the auto-­­­­­­­­­­­­­­­­­­­­­­renewal of certificates before expiry
• Browser & Application Trustable: All major browsers trust ACM Certificate as a public SSL Certificate
• Supports Wildcard Certificates: Allows certificate with *(wildcard) domain names
• Validity: Each ACM Certificate is valid for 13 months
• Cost: SSL/TLS Certificates by ACM are free

8. Conclusion

We have used this method to implement SSL for multiple clients whose websites are hosted on AWS. In case you are looking to have ACM setup quicky for your website / application, kindly visit our consulting website, fill up the quick inquiry form and we will get in touch with you within 24 hours.

9. About CloudThat

CloudThat is AWS (Amazon Web Services) Advanced Consulting Partner, AWS authorized Training Partner, Microsoft Gold Partner, and Winner of the Microsoft Asia Superstar Campaign for India: 2021. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere to advance in their businesses.

To get started, go through our Expert Advisory page and Managed Services Package that is CloudThat’s offerings. Then, you can quickly get in touch with our highly accomplished team of experts to carry out your migration needs. Feel free to drop a comment or any queries that you have about AWS Certificate Manager (ACM), SSL Certificate, or any other AWS Certification, we will get back to you quickly.

WRITTEN BY Prarthit Mehta

Prarthit Mehta is the Business Unit Head-Cloud Consulting at CloudThat. He is an AWS ambassador and has experience delivering solutions for customers from various industry domains. He also holds working experience in AWS and Big data platforms. He is an AWS Certified Architect - Professional and a certified Microsoft Azure Solutions Architect.